IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

1. Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

Like
Charlie Kemp
Posted Sat March 23, 2024 11:51 AM

Reply
Morning all,

I hope you're doing well!

We've had some... "fun-times" should we say trying to ingest Crowdstrike FDR into our platform, and unfortunately still are without luck. According to support, the logs are coming in, but QRadar is failing to extract the logs from the txt.gz file that is pulls from the SQS queue (this is recommended by both AWS, CS, and IBM at this point).

Has anyone else had any issues with Crowdstrike, or for that matter ANY AWS SQS queues not being able to be extracted, parsed, or visible via. log activity?

Kind Regards,

Charlie

------------------------------
Charlie Kemp
------------------------------
2. RE: Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

Like
Maksym Tykhenko
Posted Mon March 25, 2024 08:48 AM

Reply
Hi Charlie,

~month ago Crowstrike FDR DSM was released for QRadar https://www.ibm.com/docs/en/dsm?topic=configuration-crowdstrike-falcon-data-replicator

which is working via AWS S3 REST API. Have you tried it?

Kind regards,

------------------------------
Maksym Tykhenko
------------------------------

Original Message
3. RE: Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

Like
Paulius Roslekas
Posted Wed August 14, 2024 04:48 AM

Reply
Hello,

No luck :(, i was able to pull logs with python script provided by Falcon, but with the following Qradar configuration not receiving anything. However, according to the firewall logs it seems that Qradar constantly connecting to SQS. Also left "Use As A Gateway Log Source" unchecked so far. But i believe it should work without it, its only for Log source creation according to specific field from log. Any help ? Thanks

------------------------------
Paulius Roslekas
------------------------------

Original Message

IBM QRadar

Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

Charlie KempSat March 23, 2024 11:51 AM

Maksym TykhenkoMon March 25, 2024 08:48 AM

Paulius RoslekasWed August 14, 2024 04:48 AM

1. Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

2. RE: Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

3. RE: Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

Additional
Resources

Office

Quick Links

IBM QRadar

Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

Charlie KempSat March 23, 2024 11:51 AM

Maksym TykhenkoMon March 25, 2024 08:48 AM

Paulius RoslekasWed August 14, 2024 04:48 AM

1. Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

2. RE: Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

3. RE: Crowdstrike Falcon Data Replicator via. SQS Queue/AWS API

Additional Resources

Office

Quick Links

Additional
Resources